http://www.aloha.net/~khigaki/ - Webpage (mc32v702.zip - (352k)).
Welcome once again to another tutorial, MicroChart is actually quite an interesting study because reaching the relevant checking routines is actually part of the challenge. At $99 MicroChart/32 is also fairly expensive shareware and in my opinion overpriced, yet another reason why this programs protection should be reversed for all those who might be interested. Well, lets start the program, you should easily locate the registration option, so proceed as usual and insert your desired details.
There are several things to note here, firstly a program blunder, the (Optional) text should immediately alert you to the possibility that the Organization may not be used in the generation of a License No., the 2nd thing, well don't start setting breakpoints just yet, click O.K and you'll see a 2nd message box asking you to confirm the correctness of the information, the checking at this point is yet to be performed. The problem is how we can gain a fix upon the information entered with Softice.
Well lets just take a look at the error message, "ERROR! Incorrect registration number or name entered", now lets fish a little inside WDasm32, you should locate the following code, just before the String Reference "ERROR!".
:00403217 SUB ESP,04 <-- Stack Correction.
:0040321A MOV [EBP-10],ESP
:0040321D PUSH 0046C3C4
:00403222 MOV ECX,[EBP-10]
:00403225 CALL 004391FC <-- Function_2_before.
:0040322A MOV [EBP-04],08
:0040322E MOV EAX, [0046C394] <-- Pointer.
:00403233 MOV [EBP-04],BL <-- Another pointer.
:00403236 PUSH EAX <-- Push EAX to stack for next function.
:00403237 CALL 00405A40 <-- Function_1_before.
:0040323C ADD ESP,08 <-- Correct stack.
:0040323F MOV [0046C3A0],EAX <-- Pointer check.
:00403244 TEST EAX,EAX <-- Test EAX=0.
:00403246 JNZ 0040329A <-- Jump_to_String_Reference_"THANK YOU!".
So this code looks suspicious and with our many experiences of this type of scheme it can be expected that only the 2 functions before the critical jump will be interesting. When I reversed this protection I actually spent some more time inside WDasm32 just feeling the code of these 2 function calls looking for any signs of a protection scheme, you might like to try this and test your 'zen' abilities.
Time for some zen, you should see from the code above how CALL 00405A40 hides the protection scheme, just note the setting of a pointer as opposed to a stack POP. Inside this function you'll note a REPNZ SCASB (string length) and then this snippet.
:00405A8D LEA ECX,[EBP-5C] <-- Might_be_interesting
(in fact name entered).
:00405A90 PUSH ECX <-- Push it for the next function.
:00405A91 PUSH AFBECDDC <-- HERE.
:00405A96 CALL 00421490 <-- Function call.
This PUSH AFBECDDC caught my attention very quickly, just look closely at the code and feel, this is obviously some sort of default value used in a protection routine of sorts, location of which is now established.
So lets get back to the original dilemma, how do we trace this code with Softice, well I elected to perform some temporary INT 3 patching just before the relevant checks, so perhaps patch PUSH EAX with INT 3 and then assemble in the correct instruction when Softice breaks on >bpint 3.
50 E8 04 28 00 00 83 C4 08 <-- 00403236.
CC E8 04 28 00 00 83 C4 08 <-- Patch with INT 3.
So lets take a brief look at the protection routine, note that unless you want to trace a rather long loop which generates a key value, trace inside 00421490 and then type >g 0137:004214E5. Note that any key generator will need to take into account the loop prior to this and also that EDX is pre-initialised to 100h.
:004214EE XOR ECX,ECX <-- Clean ECX.
:004214F0 MOV EDI,[ESP+18] <-- Name.
:004214F4 MOV EAX,[ESP+10] <-- Value AFBECDDC.
:004214F8 CMP EDI,ECX <-- Check end of name.
:004214FA JLE 00421524
:004214FC MOV ESI,[ESP+14] <-- Pointer to name.
:00421500 MOV DL, BYTE PTR [ESI+ECX] <-- 1st letter of name.
:00421503 XOR EBX,EBX <-- Clean EBX for storing.
:00421505 XOR DL,AL
:00421507 INC EAX
:00421508 SHR EAX,08 <-- Shift right.
:0042150B MOV BL,DL
:0042150D MOV EDX,  <-- Value from previous loop.
:00421513 MOV EDX, [EDX+4*EBX] <-- Arithmetic.
:00421516 XOR EDX,EAX <-- More XORing.
:00421518 CMP ECX,EDI <-- Check end of name.
:0042151A MOV EAX,EDX
:0042151C JL 00421500 <-- Loop name.
So the actual routine isn't particularly weak, theres some XORing and shifting as well as subtle incrementing, at the end of the loop the good License No. is the decimal value of EAX which will of course be checked using the pointer to the code entered at [0046C3A0]. Like most Windows 95 applications the information is stored in the registry.
License Number: 2509436734